SCA: security update for org.apache.spark:spark-network-common_2.12, org.apache.spark:spark-network-common_2.13 (GHSA-6p6v-m64v-jx8q)

high Tenable Cloud Security Plugin ID 435638

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before
4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between
nodes. When spark.network.crypto.enabled is set to true (it is set to false by default), but
spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode
(AES/CTR/NoPadding), which provides encryption without authentication. This vulnerability allows a man-in-
the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially
compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To
mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to
enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which
provides stronger transport security. (CVE-2025-55039)

See Also

https://github.com/advisories/GHSA-6p6v-m64v-jx8q

Plugin Details

Severity: High

ID: 435638

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 10/16/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.1

Percentile: 7.66

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-55039

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 4.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/15/2025

Vulnerability Publication Date: 10/15/2025

Reference Information

CVE: CVE-2025-55039

cwe: CWE-326